Trust & compliance

Security at Onpilot

We handle sensitive business data and AI interactions for our customers. Here is how we protect it.

Data Protection

  • Encrypted in transit: All data moves over encrypted connections (TLS 1.2+). HTTPS is enforced everywhere.
  • Encrypted at rest: Databases and stored files use AES-256 encryption. Backups are encrypted separately.
  • Key management: Encryption keys are kept in a dedicated secrets vault with strict lifecycle policies — never in source code.

Access Control

  • Least privilege: Employees and systems are granted only the minimum permissions required for their role.
  • Two-factor sign-in: Required for every team member accessing production systems and admin tools.
  • Role-based access: Access to sensitive data is governed by clearly defined roles, with regular reviews.
  • Secret storage: All integration credentials, API keys, and other secrets live in an encrypted vault, never in code.

Infrastructure

  • Cloud hosting: Services run on AWS with enterprise-grade physical security, SOC 1/2/3, ISO 27001, and PCI DSS certifications.
  • DDoS & WAF: Cloudflare provides DDoS protection, Web Application Firewall, and rate limiting at the edge.
  • Network segmentation: Production, staging, and development environments are isolated with strict firewall rules.
  • Immutable deployments: Containerized workloads with infrastructure-as-code minimize configuration drift.

Application Security

  • Secure SDLC: All code changes go through peer review via pull requests. Direct pushes to production branches are prohibited.
  • Input validation: All external inputs are validated and sanitized at system boundaries.
  • Dependency scanning: Automated tools monitor dependencies for known vulnerabilities with timely patching.
  • Penetration testing: Regular pen tests through qualified third parties with prompt remediation.

Monitoring & Logging

  • Real-time monitoring: All production systems are monitored for availability, performance, and security anomalies.
  • Centralized logging: Application and infrastructure logs are aggregated centrally with tamper-evident storage.
  • Audit trails: All administrative actions and data access events are logged for accountability and compliance.

Compliance & Certifications

We describe our compliance posture accurately. Our privacy and security programme is designed to align with GDPR, PIPEDA, and applicable U.S. state privacy laws (including CCPA/CPRA). Certifications and audit reports are noted below with their real status — we do not claim certifications we do not hold.

  • Trust Center: Live, continuously-monitored control status, policies, and sub-processors are published at trust.onpilot.ai.
  • SOC 2 Type 1: Examination in progress with an independent auditor (targeted 2026). This is a reporting engagement, not a certification, and the report will be available under NDA once issued.
  • ISO 27001 / ISO 42001: Readiness programme underway. Not yet certified.
  • GDPR & PIPEDA: Programme designed to align, with published notices, data-subject request workflows, and processor terms. See our Privacy Policy and DPA.
  • CCPA / CPRA: California consumer rights, opt-out of sale/sharing, and Global Privacy Control handling are described in our Privacy Policy.
  • Sub-processors: We publish the vendors that process customer data at onpilot.ai/sub-processors.
  • Underlying infrastructure: Our cloud providers maintain their own SOC 1/2/3, ISO 27001, and PCI DSS attestations for the facilities and services we build on.
  • Data residency: Primary storage in AWS us-east-1 (N. Virginia). Enterprise customers can discuss specific residency requirements.

Incident Response

We maintain a documented incident response plan:

  • Detection: Incidents are identified through automated monitoring and classified by severity.
  • Response: On-call team investigates and contains incidents promptly with immediate escalation for critical issues.
  • Notification: For breaches affecting personal data, we notify the relevant supervisory authority without undue delay and, where required, within 72 hours, and affected individuals without undue delay where the breach is likely to result in a high risk. Where we act as a processor, we notify affected customers without undue delay so they can meet their own obligations.
  • Post-mortem: Every significant incident undergoes a blameless review with documented learnings and remediation.

Responsible Disclosure

We welcome security researchers who help keep our platform safe. If you discover a vulnerability:

We acknowledge reports within 3 business days and will not pursue legal action against researchers acting in good faith.

Contact

© 2026 Onpilot AI. All rights reserved.